The new threat, dubbed "Bateleur", appears to be targeting chain restaurants based in the United States. It arrives via malicious spam sent from either an Outlook.com or Gmail account that purports to contain a previously discussed check as its attachment. That document claims to be encrypted by "Outlook.com Protect Service" or "Google Protect Service".
Malicious “Outlook” document lure (left) and “Google” lure (right). (Source: Proofpoint)
Malicious macro sequence. (Source: Proofpoint)
Proofpoint's Matthew Mesa and Darien Huss detail what this sequence of events produces:
After achieving persistence by creating a scheduled task, Bateleur can access information about the infected machine, take screenshots, steal passwords, and load EXEs and DLLs. In order to evade detection, it can even detect Virtualbox, VMware, and others as well as check its script and compare it to a blacklist including terms such as "malware" and "Desktop."
At this point, Proofpoint's researchers think Bateleur originates from Carbanak/FIN7, the same APT responsible forOdinaff and other malware. They base their attribution on some key pieces of evidence, like similar email messages used to deliver both Bateleur and another backdoor called "GGLDR" as well as both campaigns' use of a Meterpreter downloader script called "Tinymet".
Beginning snippet from Tinymet downloaded by Bateleur. (Source: Proofpoint)
Notwithstanding its expanding toolset, Carbanak relies on well-known attack vectors to deliver Bateleur, GGLDR, and other threats.
Organizations should therefore take this opportunity to begin educating their employees about phishing emails if they don't already do so. They should also consider investing in email security solutions as additional layers of protection against social engineering attacks.